1. Field of the Invention
The present invention relates to the technology for preventing unauthorized access in a communications network, and more specifically to the technology of offering a service for preventing unauthorized access, for example, from an Internet service provider (ISP) to a client. Especially, it relates to the technology of taking effective countermeasures against an unauthorized access attack represented by distributed denial of services.
2. Description of the Related Art
The denial of services refers to an attack which suspends or disables a system by intentionally issuing a process request exceeding a permissible limit of system resources, and there is the problem that it is difficult to discriminate between a valid process request and an invalid process request. Among the attacks, those from attackers distributed over a network are called distributed denial of services (DDoS)(hereinafter referred to as “DDoS attacks”). The DDoS attack is described in detail in, for example, the following literature.
Kevin J. Houle and George M. Weaver, “Trends in Denial of Service Attack Technology”, October, 2001, CERT Coordination Center, [searched on Feb. 17, 2003], Internet.
The conventional technology for countermeasures against the DDoS attack is basically formed of the unauthorized access detecting technology by an IDS (intrusion detection system) and the defensive technology by packet control. Since the technology is used near an attacker, it is possibly provided with the attacker searching technology. Furthermore, it can be provided with the inter-organization cooperating technology for cooperative defense in a position close to the attacker.
The technological approach to realize countermeasures against a DDoS attack falls roughly into two categories, that is, the existing router replacing system which requires a router loaded with an extension of an IP protocol or a new protocol, and the existing router application system which requires no change of an existing router. The technology disclosed by Japanese Patent Application Laid-open No.2002-164938 which is the Japanese publication of patents is an example of the former system while Japanese Patent Application Laid-open No.2002-16633 which if the Japanese publication of patents is an example of the latter system.
The technological information about the DDoS attack can be located in the following link.
Dave Dittrich “Distributed Denial of Service (DDoS) Attacks/tools” [searched on Feb. 17, 2003], Internet.
However, there are the following potential problems respectively with the unauthorized access detecting technology by an IDS used by the conventional technology for countermeasures against the DDOS attack and the defensive technology by packet control. The problems are described below by referring to FIG. 1.
In an example of configuring a network shown in FIG. 1, a Web system 1001 for providing a Web service is operated in a client site 1000 which is provided with a firewall 1002 for protection against unauthorized intrusion to the Web system 1001. The Web system 1001 is connected to a boundary router 2001 through the firewall 1002.
The boundary router 2001 is managed by an ISP-A 2000 which is an Internet service provider. The ISP-A 2000 is connected to an ISP-B 3000 which is an Internet service provider adjacent to the ISP-A 2000 over a network through a boundary router 2002, and to an ISP-C 4000 which is an Internet service provider adjacent to the ISP-A 2000 over a network through a boundary router 2003, and they are also managed by the ISP-A 2000.
The boundary routers 2001, 2002, and 2003 are interconnected through a router 2004 managed by the ISP-A 2000. The terminal used by a user of the ISP-A 2000 can be connected to the router 2004 to make the ISP-A 2000 available.
The ISP-B 3000 manages a boundary router 3001. The terminal used by a user of the ISP-B 3000 can be connected to the router 3001 to make the ISP-B 3000 available.
The ISP-C 4000 manages a boundary router 4001. The terminal used by a user of the ISP-C 4000 can be connected to the router 4001 to make the ISP-C 4000 available.
The boundary routers 2001, 2002, 2003, 3001, and 4001, and the router 2004 are loaded with an IDS.
By referring to the network with the above-mentioned configuration, the problems with the conventional technology for countermeasures against the DDOS attack is explained.
First, there is the problem of misdetection.
The misdetection of an IDS roughly falls into two cases, that is, a false-positive case in which a non-attack has been misdetected as an attack and a false-negative case in which an attack cannot be successfully detected.
When an authorized user uses an authorized user terminal 4100 to use a Web service by the Web system 1001 with the configuration of the network shown in FIG. 1, the authorized user terminal 4100 is first connected to the boundary router 4001, and authorized access from the authorized user terminal 4100 to the Web system 1001 is gained through the boundary routers 4001, the boundary router 2003, the router 2004, and the boundary router 2001. At this time, for example, the IDS provided in the boundary router 2003 can misdetect the authorized access as unauthorized access, and the boundary router 2003 can cut off the authorized access, thereby causing the false-positive case.
When an attacker intends to make a DDoS attack on, for example, the Web system 1001 using an attacker terminal 2100, the attacker terminal 2100 is connected to the router 2004 first, and unauthorized access from the attacker terminal 2100 to the Web system 1001 is to be gained through the router 2004 and the boundary router 2001. At this time, for example, the IDS provided in the router 2004 can misdetect the unauthorized access as authorized access, and the router 2004 can pass the unauthorized access, thereby causing the false-negative case.
The method of detecting unauthorized access by an IDS roughly falls into two systems, that is, a signature system by packet pattern matching and an anomaly system by detection of an abnormal traffic status. They can potentially include the problem of the misdetection. The misdetection can be reduced to some extent, but cannot be completely removed essentially.
On the other hand, there is the problem of the influence on an authorized user with the defensive technology. That is, since it is difficult to discriminate between a packet of denial of services (attack packet) and a packet of an authorized user (authorized packet), an authorized packet as well as an attack packet can be blocked.
In FIG. 1, for example, when the IDS provided for the boundary router 3001 detects that an attacker who is making a DDoS attack on the Web system 1001 operates an attacker terminal 3100, and tries to connect it to the boundary router 3001 to gain unauthorized access from the attacker terminal 3100 to the Web system 1001, the boundary router 3001 cuts off the unauthorized access. However, by the cutoff of the access, authorized access for a Web service by the Web system 1001 by an authorized user using an authorized user terminal 3200 can also be rejected, which is also the problem with the conventional technology.
The problem occurs because an attack packet which is unauthorized access and an authorized packet which is authorized access are the same in terms of packets, and it is impossible to discriminate between them by comparing them in terms of packets only.
In sum, there are the following problems for the conventional technology for countermeasures against a DDoS attack.
Although a state in which countermeasures are taken against a non-attack, or a state in which no countermeasures are taken against an attack occurs, correct countermeasures are to be taken against unauthorized access attack.
When countermeasures are taken against a DDOS attack, the influence on an authorized user is to be the smallest possible.